Orwell versus the Terrorists
Crypto Wars and the Future of Surveillance
--
In a world in which the rules governing online activity are hazy, nebulous and often contradictory, we need a powerful and convincing model for the future of net-surveillance post-Snowden. This is an examination of the history of the online privacy battle, and a shocking glimpse of the frontline tactics of both sides.
The argument over national security and individual privacy is a pressing issue, but it’s hardly a new one. How any democratic society weighs up and trades liberty against safety gets re-examined each time a new technology or threat disrupts the established order. Governments have a tendency to see each new technology as a means to help them maintain order; radicals as a way to disrupt it. I doubt that will ever change — and in fact it’s a pretty healthy balance, a constantly straining but necessary tension. But occasionally that tension snaps: if governments overreach whatever finely balanced — yet usually invisible — consensus that has been reached on the extent to which governments can monitor its people, there is always a counter-reaction. As Kipling wrote in his famous poem The Reeds of Runnymede: ‘And still when mob or monarch lays; too rude a hand on English ways; the whisper wakes, the shudder plays …’
That shudder was felt in the very first spy scandal of the modern age, which took place in 1844 when the British Home Secretary, Sir James Graham, decided to secretly monitor the letters of Giuseppe Mazzini, the exiled leader of La Giovine Italia (Young Italy), a radical movement that hoped to create a united Italy. ‘No man’s correspondence is safe,’ charged a furious Times upon learning the details. ‘No man’s confidence can be deemed secret; the secrets of no family or no individual can be guaranteed from reaching the ear of a Cabinet Minister’. The Home Office became embroiled in scandal, as the public and chattering classes of the day rallied against what was largely seen as an indecent breach of individual privacy. However, when Mazzini petitioned Parliament, the Home Secretary replied that ‘it was not for the public good to pry or inquire into the particular causes which called for the exercise thereof’. He therefore would not ‘consent to enter into any further explanations’. Aside from the lamentable degeneration of political language, very little seems to have changed. But things did, for a while. The 1844 ‘Post Office Espionage Scandal’ more or less put an end to the political spying on letters for fifty years; it even led to the Home Office dismantling the cryptographic know-how of the department, an expertise that would be missed following the outbreak of the First World War. If the government oversteps that invisible line, it is often to its own detriment in the end.
The same predictable story of overreach, outrage and blowback unfolded again 150 years later. The technology was different, of course — but the underlying rule held firm. In the late 1980s, the US government was increasingly worried about this new, ungovernable public space of networked computing. Although still tiny, ‘cyberspace’ was becoming a nuisance to the law: untraceable paedophile networks were sharing illegal images of children, anonymous hackers were stealing intellectual property, neo-Nazis were pushing propaganda, and internet trolling was rife. In response, the FBI increased their monitoring of the net, and in 1990 launched ‘Operation Sundevil’, a nationwide, heavy crackdown on hackers. Worried by the spread of powerful cryptographic software, the US government also tried to limit its use by the public. Just as in Mazzini’s day, the response was not what the government was hoping for: crime continued, and net users reacted angrily to what they saw as a blatant infringement of civil liberties in this new space. In their space. Leading the counter-attack were the ‘cypherpunks’, a small collection of Californian libertarians determined to develop and share tools and techniques to keep activity online secret. It quickly grew in strength and number — and started taking on the government directly in what became known as the ‘crypto-wars’: the right and ability of ordinary citizens to stay secret and hidden online. The cypherpunks started an email list, on which almost every technique now employed by computer users to avoid government surveillance was predicted, invented or developed. Outraged by his government’s efforts to limit cryptography, software programmer Phil Zimmerman (although not actually a cypherpunk himself), decided to work on and then release an open source ‘Pretty Good Privacy’ text based encryption system for everyone and anyone to use, which is still the industry standard today. Around the same time, the Electronics Frontier Foundation — a digital liberties group — was set up and remains an influential and fierce defender of online privacy.
A New Battle
The crypto-wars continue to this day. But Snowden’s revelations mark the beginning of a new battle, the opening of a new flank. Today, public concern is about more than just government. The new crypto-war is about data.
These days we share inordinate amounts of information about ourselves online: our bank details, our love life, our holiday snaps; our whole lives are online. But it’s no longer just governments snaffling it all up — it is private companies, too. Think for a moment: do you ever wonder why it is that we get all these amazing internet services — Facebook, Twitter, YouTube, Gmail — for free? I rarely think about it, either, because I’m used to it all just being there, and always working. But it costs an awful lot of money to run these platforms: the server space, the highly skilled engineers, the legal teams. We are paying all right, just not in cash. We pay with our data and our privacy.
You probably have no idea how much of yourself you have already given away online, or how much it’s worth to the right people. What may seem like a gravel dump of information — shopping, musical preferences, holiday destinations — are jewels in the hands of the digital scavengers who trawl cyberspace looking for information they can sell: a mobile phone number or a private email address. In a typical week, Facebook users upload twenty billion pieces of content — pictures, names, preferences, shopping habits and other titbits. You are even creating data when you don’t realise it, because as you surf the web, thousands of ‘third-party cookies’ track your browsing habits. Smart phones are often full of apps collecting information about your activity every waking and sleeping moment.fn1 Quintillions — yes that really is a number — of pieces of data are being generated by you, about you, every year.
Getting hold of that data is, on the whole, perfectly legal, and very lucrative. Some analysts estimate we’re each giving away up to £5,000 worth of data annually — although to be honest no one really knows. Either way, a worldwide industry has emerged over the last decade dedicated to finding new ways of extracting and analysing this bounty. These ‘data brokers’ sit at its heart, like enormous clearing houses that buy, analyse and then sell online and offline data. One of the largest, the marketing company Axciom Corporation, is believed to hold information on about 500 million consumers around the world, and has annual revenue in excess of $1 billion. From thousands of fragments, they can build a remarkably accurate picture of every user they track. Once, it would have taken private detectives years of painstaking research to piece this together. Now, elegant algorithms and powerful computers turn this into something useful to anyone who wants to sell you something: your likely behaviour and your probable location are predicted with uncanny precision. Each year, these Little Brothers get smarter.
In some ways it’s a fair deal — free services in exchange for data. But it’s starting to feel, if not outright one-sided, then at least a little elusive. I doubt any of us ever read those complicated terms and conditions (and why would we? It would take hours a day to read them all) or really know what happens to our information once it’s out. And it is important to bear in mind that the data collection industry is just warming up. More and more everyday objects are being fitted with microchips and going online: fridges, wallets, cars, watches, clothing. Even hair: Sony has recently filed a patent for a SmartWig that could take photos and vibrate when you receive a message. Google’s augmented reality glasses (now discontinued, but surely to re-emerge somewhere) are able to record what and who you’re seeing; smart energy meters that can record your energy consumption patterns will be installed in every home by 2020. All of these devices will be collecting data. As it stands, no one really knows who will own all this information, how will it be regulated or where it’s all going to end up.
All this data has certainly helped to create an increasingly centralised web, Joss Wright, a researcher from the Oxford Internet Institute explained to me. Centralised systems are easier to build and maintain, and easier to control. Centralisation allows advertising, prompting large companies to pay for the infrastructure and server space to create attractive and functional services, thereby attracting a large number of users. Users mean data, and data means money. Money means better services, which in turn means more users …
But that has people worried, because centralisation also means power. Think about the subtle force these companies exert over what we encounter online: what we find, who we meet, and what we buy. It may feel like these platforms are public spaces, but they are not — controlled and run by companies based far away. Google’s search algorithm is increasingly personalised to your own search history, which means you end up finding stuff online it thinks you want. According to one recent study, if you tell your friends on Facebook you’ve voted, they are more likely to vote too. Given that Facebook could decide through its newsfeed algorithm who gets to see your proud declaration of civic duty — that power could theoretically affect the result of an election. I have no reason to believe Facebook would ever do that. But the point is: it’s possible, and you may not even notice if it came to pass. Civil liberties groups believe companies, police and governments have a mutual interest in keeping the data gold rush going. Intelligence agencies don’t need to spy on you any more: they simply go to your internet company, and prise out of them what they need. (This, incidentally, is precisely what the NSA’s Prism programme did — which was the very first revelation made by Edward Snowden.) And of course, having all this information centralised in one place is inevitably a honeypot for fraudsters and hackers, with identity and data theft increasing at an alarming rate.
Perhaps we’re sleepwalking into a new age, a world where everything is captured, stored, analysed, repackaged and sold. And where could that lead? What else could our data reveal about us? So-called ‘big data’ analysis is already able to predict a lot of human behaviour: what we might buy, what books we’ll read, what movies we’ll watch. In one bizarre case in the US, one online store knew someone was pregnant before she had told anyone, based on small changes in her shopping behaviour. (Sadly, algorithms have no subtlety, or gentleness: the data mining company sent this young woman adverts for maternity products, which were picked up by her confused and angry father. No doubt some smart nerds are trying to programme a thoughtful algorithm as we speak). We’re heading to a world of ubiquitous prediction, with the almighty algorithm predicting future behaviour on the basis of recorded past behaviour. Our love interests, what we read, where we eat — everything laid out for us, saving us the bother of spontaneity of thought or action. And what about the crimes we have not yet but might one day commit, à la Minority Report? What if the algorithm spotted that you’d been browsing sites in a similar way to a terrorist? What all this prediction — all this algorithmically filtered information we receive — might mean for human relationships, or freedom, or spontaneity is anyone’s guess. But it’s unlikely to be good.
Okay, okay. So maybe none of this is particularly new. Governments are interested in monitoring the population, of course. Big businesses are hungry for our data — why wouldn’t they be? Perhaps our private spheres are being eroded, but the benefit is convenience. But something is certainly stirring. It’s not quite Kipling’s reeds at Runnymede, but there’s a dawning realisation — part Snowden inspired, part a slower awakening — that internet privacy is important. According to the 2014 Deloitte Data Nation report, 24 per cent of people in the UK do not trust any type of organisation with their personal information.fn2 A recent report by the think tank Demos found that 18–25 year olds care more about online privacy than about immigration, welfare, environment, public finances or crime. There is a growing feeling that ‘they’ — companies, governments, hackers, anyone who knows more about computers than you do — are getting hold of your data and doing stuff with it you don’t condone, and don’t really understand. And because the world’s gone digital, that means unaccountable power and control. Whether digital or analogue, unaccountable power is always a bad thing.
People are taking action. There’s a fight-back, as I mentioned: a citizen-led counter-surveillance movement. Something that is going to change the net, and how we monitor it. Something I have been calling the Snowden Effect.
Part of the Snowden Effect, just like in the early nineties, has been a spurt in people finding new ways to cover their online tracks. This is the short-term effect. There’s been a flurry of ‘crypto-parties’ around the world, where internet users can learn about the latest techniques to protect their privacy online for free. Anonymous browsers like ‘Tor’, which are used to browse the net without giving away your location (and are used to access the ‘Hidden Services’, an encrypted network of sites that uses a non-standard protocol, which makes it close to impossible for websites or people who use them to be tracked) are becoming ever-more popular: there are now an estimated 2.5 million daily users. Facebook users, who used to be happy sharing everything with anyone, are inching towards more private settings. Phil Zimmermann’s PGP (‘Pretty Good Privacy’) encryption — that relic of the nineties crypto-wars which allows people to encrypt text and files — has been downloaded by millions. This will continue to grow, a sort of natural, organic response to growing concerns.
Then there’s the way the large tech companies have, in response to the Snowden revelations, become more hesitant to work with the intelligence agencies. That’s the medium term effect. I recently spoke to one official from a large social media platform provider who told me her company was very disappointed to learn of the extent of surveillance: ‘Our trust in the spies has been severely damaged. It will take years to rebuild it.’ Social media users need to know that the platforms they use are secure and safe. So in response, many of the large companies have added extra layers of encryption to their systems — making it harder for the spooks to spy on them. New social media companies have even popped up — like the ‘anti-Facebook’, ad-free social network site Ello. ‘Collecting and selling your personal data, reading your posts to your friends, and mapping your social connections for profit is both creepy and unethical,’ Ello declares. ‘Under the guise of offering a “free” service, users pay a high price in intrusive advertising and lack of privacy … Ello doesn’t sell ads. Nor do we sell data about you to third parties.’ Since so much of modern intelligence work now relies on internet-based companies handing over information to the authorities, this is a significant move.
But the long-term Snowden Effect is elsewhere. Motivated by an honourable desire to protect online freedom and privacy, hundreds of computer scientists and internet specialists are working on ingenious ways of keeping online secrets, preventing censorship, and fighting against centralised control. A veritable army motivated by a desire for privacy and freedom, trying to wrestle back control for ordinary people. This is where the long-term effects will be felt. Soon there will be a new generation of easy-to-use, auto-encryption internet services. Services such as MailPile, and Dark Mail — email services where everything is automatically encrypted. Then there’s the Blackphone — a smart phone that encrypts and hides everything you’re doing. There are dozens — hundreds, perhaps — of new bits of software and hardware like this that cover your tracks, being developed as you read this — and mainly by activists motivated not by profit, but by privacy. Within a decade or so I think they will be slick and secure, and you won’t need to be a computer specialist to work out how they work. We’ll all be using them.
And there are even more revolutionary plans in the pipeline. An alternative way of organising the internet is being built as we speak, an internet where no one is in control, where no one can find you or shut you down, where no one can manipulate your content. A decentralised world that is both private and impossible to censor.
Back in 2009, in an obscure cryptography chat forum, a mysterious man called Satoshi Nakamoto invented the crypto-currency Bitcoin.fn3 It turns out the real genius of Bitcoin was not the currency at all, but the way that it works. Bitcoin creates an immutable, unchangeable public copy of every transaction ever made by its users, which is hosted and verified by every computer that downloads the software. This public copy is called the ‘blockchain’. Pretty soon, enthusiasts figured out that the blockchain system could be used for anything. Armed with 30,000 Bitcoins (around $12 million) of crowdfunded support, the Ethereum project is dedicated to creating a new, blockchain-operated internet. Ethereum’s developers hope the system will herald a revolution in the way we use the net — allowing us to do everything online directly with each other, not through the big companies that currently mediate our online interaction and whom we have little choice but to trust with our data.
Already others have applied this principle to all sorts of areas. One man built a permanent domain name system called Namecoin; another an untraceable email system call Bitmessage. Perhaps the most interesting of all is a social media platform called Twister, a version of Twitter that is completely anonymous and almost impossible to censor. Miguel Freitas, the Brazilian who spent three months building it, tells me he was sparked into action when he read that David Cameron had considered shutting down Twitter after the 2011 riots. ‘The internet alone won’t help information flow,’ Freitas says, ‘if all the power is in the hands of a few people.’
This trend towards decentralised, encrypted systems has become an important aspect of the current crypto-wars.fn4 MaidSafe is a UK start-up that, in a similar way, wants to redesign the internet infrastructure towards a peer-to-peer communications network, without centralised servers. Its developers are building a network made up of contributing computers, with each one giving up a bit of its unused hard drive. You access the network, and the network accesses the computers. Everything is encrypted, and data is stored across the entire network, which makes hacking or spying extremely difficult, if not impossible. Nick Lambert, the Chief Operating Officer for MaidSafe, explained to me the vision. When you open a browser and surf the web it might feel like a seamless process, but there are all manner or rules and systems that clutter up the system: domain name servers, company servers, routing protocols, security protocols. This is the stuff that keeps the internet going: rules that route your request for traffic, servers that host that web page you’re after, systems that certify for your computer that the site you’re trying to access isn’t bogus. Because it all happens at the speed of light, it doesn’t feel cluttered up, of course. But all these little stages and protocols create invisible centres of power, explains Nick — be they governments, big tech companies or invisible US-based regulators — and they are all exercising control over what happens on the net. That’s bad for security, and bad for privacy. MaidSafe strips all this out. The end result, says Nick, will be a network that is very difficult to censor and offers more privacy. ‘Even if we wanted to censor users’ content, we couldn’t — because with this system we don’t know or have access to anything the users do. They’re in control.’ Nick accepts some people will misuse it — but that’s true of almost any technology. ‘Kitchen knives can cause harm,’ he says, ‘but you wouldn’t ban kitchen knives.’
As I see it, this powerful combination of public appetite and new technology means staying hidden online will become easier and more sophisticated. It might feel unlikely at a time when every click and swipe is being collected by someone somewhere, but in the years ahead, it will be harder for external agencies to monitor or collect what we share and see; and censorship will become far more difficult. A golden age of privacy and freedom. Perhaps.
Orwell
I’ve interviewed many of the people in the frontline of the battle, the people behind the extraordinary innovation currently taking place. They see the question of online privacy as the digital front in a battle over individual liberty: a rejection of internet surveillance and censorship that they believe has come to dominate modern life online. Their motivation is typically well intentioned: a desire to help make sure people can remain private and secret online, to keep communication open and not controlled by third parties.
I think some of these activists are a little optimistic about the way these technologies will propel society along. Almost as if human conduct conforms to the same predictable mathematical models as their clever encryption systems: build the privacy enhancing technology or improve access to computers and information, and everything else will fall into place. Technology has always been accompanied by utopian visions of how it will straighten man’s crooked timber, but these visions have all-too-often failed to materialise. The early nineties were ablaze with utopian ideas about humanity’s imminent leap forward, spurred by connectivity and access to information. Harley Hahn, an influential technology expert, predicted in 1993 that we were about to evolve ‘a wonderful human culture that is really our birth-right’. Meanwhile the technology magazine Mondo 2000 promised to give readers ‘the latest in human/technological interactive mutational forms as they happen … The old information élites are crumbling. The kids are at the controls. This magazine is about what to do until the millennium comes. We’re talking about Total Possibilities.’ Many of the net’s early advocates believed that, by enabling people to communicate more freely with each other, it would help to end misunderstanding and hatred. Nicholas Negroponte — former Director of the illustrious MIT Media Lab — declared in 1997 that the internet would bring about world peace, and the end of nationalism. For some, like John Perry Barlow, author of the Declaration of the Independence of Cyberspace, this new, free world could help to create just, humane and liberal societies — better than those ‘weary giants of flesh and steel’. None of them predicted the endless cat memes, or the inane holiday pictures, the Islamist propaganda, or child pornography networks.
But I’m being a little unfair here, since these changes towards more privacy and more freedom will, of course, produce enormous benefits to anyone who cares about those things, online or off. Privacy of all kinds serves a vital social and individual function. Syrian democrats really do create secret and untraceable chat rooms to coordinate activity. Russian dissidents really do use internet browsers like Tor to circumnavigate state censorship of the net. Homosexuals in the Middle East really do use encryption to avoid a knock at the door from brutal enforcers of state morality. Anonymising tools like the Tor browser has had a hugely beneficial effect on free expression around the world. In 2011 the Tor Project — the group that keeps network system going — was awarded the Free Software Foundation award in the ‘Projects of Social Benefit’ category, because it has allowed millions of people to access the net while retaining control over their privacy. Tor, after all, was ‘pivotal’ in helping to mobilise dissident movements in Iran and Egypt.
But it’s not just in the more hostile parts of the world that privacy matters. In most democratic societies, privacy creates a sphere of freedom for the individual, which allows for political, social and personal expression. Well-established democracies use secret ballots to ensure that people can express their political views without hindrance or fear.fn1 There are many ways that anonymity contributes to free expression. I, like many others, worry that even in democracies there is a marked increase in people getting arrested and prosecuted for saying things that are nothing more than offensive and rude and nasty. That results in one of the great dangers to free expression, which is self-censorship: silencing oneself for worry that we offend, or upset, or suffer repercussions. Genuine anonymity has and does grant people the space to speak their mind, to push boundaries, to propel society forward. In the US the eighteenth-century Federalist Papers — a brilliant series of essays in favour of the US constitution by Maddison, Hamilton and Jay — were anonymously authored. According to Mike Harris from the free-speech consultancy 89up — which advises NGOs and companies on privacy and free expression — ‘we used to view privacy and freedom of expression in conflict, but I see them as complementary. If you cannot hold private conversations, you cannot speak freely.’ That’s especially true of the whistleblowers: Edward Snowden himself used Tor to send information about the NSA’s Prism programme to the Washington Post and the Guardian.
The freedom to decouple your online persona from your offline persona has less grand but equally powerful benefits — allowing honesty without fear or favour. Take a day to day activity. It can be difficult to explore sensitive or personal subjects and ideas when everyone can see who you are. For example, for people with mental health conditions having somewhere you can go to speak honestly and openly without fear of being judged is extremely important — and the net is where many go to do it. Or to explore your sexuality. Or to ask advice about an embarrassing subject. Or whatever it is that you’d feel freer doing away from the glare of others.
Then there are all the financial and personal benefits of keeping yourself hidden online, which I’m probably not giving enough space to, although the entire health of the internet rests on it. Anything that helps create a secure network, allows people to keep their computers and data safe, will bring new economic and commercial gains for all of us. E-commerce, after all, wouldn’t work at all without strong encryption — because no-one would trust it.
There may even be some other, less obvious, benefits from online anonymity. The best way to illustrate this is with the example of anonymous market places currently thriving on Tor Hidden Services (sometimes called the dark net). Anyone can set up a site on the Tor network, using the same clever encryption that keeps its users hidden. And anyone can access the sites too, without anyone figuring out who’s who. Although it used to be a little tricky to set up, Tor now looks and feels like any other web browser. True, it’s a little slower, because it bounces your URL request around the world via several other ‘nodes’ that use the same software, which takes a little time, but that’s a price many are willing to pay for online anonymity. This parallel network of around 45,000 sites is typically discussed in the media as a den of criminality (it is) but it’s also one of the most interesting places on the net, because it’s exciting, uncensored, dangerous. And because people like things that are exciting and dangerous, a growing number of people are heading there. Not to break the law, but to have a different experience of the net, where you aren’t stalked by pop-up adverts and cookies. It’s almost like an alternative hang out where the cool older kids go. Aphex Twin, the musician, recently released his new album there. Facebook even, seeing the potential, set up a Hidden Service site there. The dark net — or dark nets, since there are several of these encrypted, uncensored networks — will very soon go mainstream. We’ll all be on them. Is that all bad?
Perhaps not. During the course of writing my book The Dark Net, I spent a lot of time on these dark net sites, and especially on the so called ‘dark net markets’, which are very popular there. In dark net markets, almost anything and everything can be bought and sold. The first thing that strikes you on signing up on these market sites is how eerily familiar they all feel — they’re just like eBay or Amazon. Every one of the thousands of products on offer has a detailed description, a photograph and a price. All products and vendors are rated out of five by buyers, who also provide detailed written feedback. There are customer service buttons and shopping carts and free-package-and-delivery and one-off specials. I, like thousands of others, placed an order; paid with bitcoin; and waited for my product to arrive in the post. Which it did, bang on time. The hardest thing is deciding what to buy, since there is an unbelievable choice of products on offer. The Silk Road 2.0 (which was closed by the FBI and other police forces in late 2014) was an anonymous market for anything, with few exceptions, which meant wares stretched from the mundane to the bizarre: listings I spotted on one visit included a complete box-set of The Sopranos and a hundred-dollar Marine Depot Aquarium Supplies voucher. In April 2014, the most popular selling item on the entire site was a fake £20 Tesco voucher. But most people are here for drugs. There are hundreds of vendors to choose from, selling every conceivable narcotic.
It’s the customer reviews, not clever encryption, that’s the key to understanding how and why these markets operate. All the vendors use pseudonyms, but they keep the same fake name to build up their reputation. Because it’s so easy for buyers to switch allegiance to any one of 900 competitors at any moment, the vendors are forced to compete for custom. The only way to get it is by having a history of positive feedback from other users. Good reviews can make a dealer’s reputation. As a result, dealers here are polite, attentive and consumer-centric — offering free delivery on big purchases, refunds, special offers and even loyalty systems. Some even offer freebies to anyone willing to write lengthy and careful feedback. It’s that powerful driver, market demand, mixed with new technology that makes these markets formidable. Every month the sites get smarter. In April 2014 ‘Grams’, a search engine for drugs, was launched. It includes ‘trending’ searches and advertising space. Some vendors are even branding their opium or cocaine as ‘fair trade’, ‘organic’ or sourced from conflict-free zones. ‘We are a team of libertarian cocaine dealers,’ writes one dealer: ‘we never buy coke from cartels! We never buy coke from police! We help farmers from Peru, Bolivia and some chemistry students in Brazil, Paraguay and Argentina. We do fair trade!’ Because it’s an actual functioning market, it operates in the interest of the consumer, not the drug cartel — providing safer, more reliable and higher quality drugs. That in turn could mean lower street crime related to drugs and, crucially, fewer deaths associated with overdosing and unreliable products.
The Terrorists
Seen from this vantage point, a decentralised world, a world of privacy, personal security and liberty, looks like an exciting and positive place. True, the benefits will be enormous. But so might the costs. The uncomfortable truth about all this — and it’s something the Orwellian-shouters often fail to acknowledge — is that there are other groups who will certainly benefit from it too. All these trends are wonderful for people with something to hide or propaganda to peddle. Bad people often have more to hide than decent people.
Take the Tor network, for example. According to researchers at the University of Luxembourg, 44 per cent of Tor Hidden Services are criminal: mainly those anonymous dark net markets (which, by the way, often sell far more dangerous things than drugs: some of them sell guns, bomb-making instructions, zero-hour exploit hacks and botnets). It’s also well established that serious child pornographers use encryption and anonymous browsers to stay one step ahead of the law, making it more or less impossible to rid the net of images of child abuse. According to one recent study by the University of Portsmouth, Tor Hidden Services (although not the browser itself) is most commonly being used to mask the child pornography trade. They found that child pornography sites accounted for nearly 83 per cent of all traffic via Tor nodes — although the sites themselves only accounted for 2 per cent of the 45,000 sites available on the network.2
It’s easy, but naive and foolish, to imagine serious criminals are technologically illiterate. Take terrorist groups — the main focus for intelligence agencies. They have long used a variety of types of encryption software in their communications.3 Back in 2007, al-Qaeda’s Global Islamic Media Front (GIMF) released their own encryption software: Asrar al-Mujahedeen. This was the first purpose-made Islamist encryption software, primarily used for email communications.4 It has since been updated many times, and now contains additional functions and is routinely promoted in jihadist magazines.5 Most recently, the al-Qaeda associated al-Fajr Technical Committee has released Amn al-Mujahid for Windows, which encrypts emails, instant messages and SMS. Tor, anonymous browsers and anonymity best practice are frequently discussed by terrorists on forums and websites, and not only by Islamic extremists.6 Anders Breivik, the Norwegian terrorist who murdered seventy-seven people in 2011, wrote a manual that set out best practice recommendations regarding the use of Tor and the Virtual Private Network service IPredator.7 A Tor Hidden Service is also believed to have been used by Ayman al-Zawahiri and Nasir al-Wuhayshi — al-Qaeda leaders to discuss high-level strategy, a communication that, when detected, led the US to temporarily close down twenty-one embassies.8
Take the current threat posted by the Syrian and Iraq-based ISIL. There’s no doubt they are a tech-savvy bunch, and a perfect example of how both enhanced privacy and the difficulty of censorship can be abused. Like most of us, they want to be secretive about some things, and very open and public about others: they want to be impossible to censor, yet impossible to locate. The physical ‘frontier’ of holy war is shifting to the virtual front — the professional media teams embedded with fighting units as well as the global network of media supporters.9 Since 2011, members of jihadist forums have issued media strategies that encourage the development of this media mujahidin. After all, you no longer need to fly halfway across the world to join your chosen extremist cause. You don’t even need to leave the house. You can be a jihadi from behind your screen, contributing to the effort with propaganda or cyber attacks. Social media is especially valuable to ISIL since it allows anyone to join this cyber jihad. A large quantity of propaganda is posted daily on Twitter each day from the US, the UK, Saudi Arabia, India, Russia. Anyone can grab the name and get to work.
So far, ISIL have organised hashtag campaigns on Twitter to generate internet traffic, and have been able to get those hashtags trending, generating still more traffic. They have even tweeted pictures of cats holding guns, in a bizarre mash-up of internet and jihadi culture. In their smartest coup, the group released, on the Google Store, a now banned Android app called ‘The Dawn of Glad Tidings’. Once registered, users automatically posted a stream of tweets carefully selected by social media operatives, released at irregular intervals to outwit the Twitter anti-spam filter. Their propaganda videos are well produced. This is all pretty standard stuff for any second-rate marketing and advertising company. For an Islamist movement, it is a bit of step forward.
Perhaps because we imagine them to be fundamentalist, cave-dwelling barbarians, we struggle to imagine they are also men of their time. Yes, they are nasty, violent, fundamentalists. But enough of them are also smartphone-using digital natives in their twenties. Note how the Islamists who murdered Drummer Lee Rigby took care to talk with smartphone-owning bystanders, knowing full well that it would make the front pages via YouTube.
Most impressively of all — and most relevant here — is how well they understand how to evade censorship and keep their material online. In truth, internet censorship has always presented practical difficulties and rarely has it proven effective outside repressive regimes. However, the rise of the social media has compounded such challenges. When YouTube deletes their propaganda, ISIL sympathisers immediately re-post it elsewhere, and alert followers to its new location — from where it is very quickly downloaded and re-posted across multiple sites. Censorship is close to impossible. By the time YouTube’s content manager has seen the video and taken steps to block it, it’s already sitting on thousands of users’ computers all over the world. Whenever their accounts are shut down, they immediately start another one — or, more often, have multiple accounts ready to hand. I’ve been taking a look at how ISIL are using Twitter. I found one user name, @xcxcx162, who had no less than twenty-one versions of his name, all lined up and ready to use (@xcxcx1627; @xcxcx1628, @xcxcx1629, and so on). Another ISIL sympathiser posted tweets under the handle @Cpd_Umar8246 for eight days before the account was shut down, at which point a new account, @Cpd_Umar_8246, started posting. When that was closed, @CpdUmar__8246 began. And so on. Most impressively, as soon as the new CpdUmar account was set up, he or she picked up all his or her followers almost immediately. According to Ali Fisher, a specialist who has been monitoring the way Islamists use social media for the last two years, these jihadist propaganda networks are stronger than ever. ‘They disseminate content through a network that is constantly reconfiguring, akin to the way a swarm of bees or flock of birds constantly reorganises in flight,’ Fisher tells me. ‘This approach thrives in the chaos of account suspensions and page deletions.’ Fisher reckons our efforts at censoring them actually helps them — gives them energy and motivation. He calls this a ‘user-curated’ swarmcast. They have established complex networks of influential accounts across multiple platforms. This creates an inherent resilience, and renders the effect of account suspension little more than a temporary inconvenience — followers are quickly able to locate the account’s designated replacement.10
It’s the same thing with the case of indecent images of children. In 1997, the NSPCC thought there were 7,000 illegal images in circulation. In 2012, the Child Exploitation and Online Protection Centre found an individual collector with over two million images on his computer. Tor Hidden Services — yes the network that keeps dissidents safe — also unfortunately acts as something of a recycling plant: people upload illegal material to a central hub, and then hundreds download onto their own servers or encrypted hard drives. When an illegal website is removed, someone creates another site and uploads it all again.
To make matters worse, the net has helped to shift the modus operandi of terrorist groups towards ‘lone wolf’ attacks, which refers to terrorists that organise and prepare on their own, rather than as part of a network or cell.fn2 Certainly, the number of lone wolf cases has increased steadily over the last decade, including the Islamist Major Nidal Malik Hasan, who murdered thirteen fellow soldiers at the Fort Hood army base in Texas in November 2009, in protest, it is believed, at the wars in Iraq and Afghanistan. It’s this type of attack that security services (in the UK and elsewhere) are extremely concerned by: low planning, low preparation, and difficult to prevent. I’m writing this the day after two Islamist radicals shot and murdered twelve people in the offices of the French satirical magazine Charlie Hebdo; as I write these words, another radical Islamist has taken a number of people hostage in a kosher supermarket in Paris (and murdered four people, I learn later). One of the reasons there has been an increase in lone wolves is because the barriers to entry have fallen. According to Jeffrey D. Simon, author of Lone Wolf Terrorism: Understanding the Growing Threat, the lone wolf is ‘the most innovative, most creative and most dangerous’ type of terrorist. Lone wolves aren’t restricted by ideology or hierarchy, and don’t need to worry about alienating their group or organisation. In Simon’s view, the wealth of easy-to-access information online facilitates the rise of lone wolves. In an age of constant media it only takes a relatively limited effort to produce an enormous stir. It only takes a lunatic with a gun or a knife to spread panic — it’s really not that difficult. But it’s almost impossible to stop, and it can carry enormous symbolic power.
Of course, the modus operandi of terrorist groups will morph: doing whatever they are able to do to cause the most destruction and terror. And some of that will inevitably shift online, too. Take computer hacking, which used to be a fairly specialised skill. Increasingly, the entry costs and level of expertise required are falling. It’s possible to download pre-written software to hack a computer system — or even just to pay someone to do it for you. And as more of our lives shift online — everything from our homes to our national critical infrastructure — this becomes more troubling. I anticipate that Islamist groups — and others — will increasingly seek to use hired-hand hackers to try to cause disruption and sow fear. Terrorists hiring hackers to attack a computerised flight control system? To knock websites offline with what’s known as a ‘distributed denial of service’ attack? To hack into your internet-enabled home? To use crypto-locker to lock you out of your own computer and extort money to get it back? Of course!
In Defence of the Security Services
So this is the very difficult environment in which the intelligence agencies and police are expected to work. Yet since the July 2005 attacks in London, it is believed that the British security services have prevented at least one or two serious terrorist attacks on the UK every year. According to a January 2015 speech by the head of MI5, Andrew Parker, in the last fourteen months the agency has stopped twenty terrorist attacks against the UK.
They have a remarkable record, but it has become a strange quirk of polite British society that no one ever seems to have a good word to say about our intelligence agencies. It is almost de rigueur to consider them evil, nasty, sinister — as if it is they, not bigoted murderous fundamentalists or powerful autocratic governments who are the real threat to liberty and freedom. And so each week a journalist or blogger or civil liberties activist pens a strongly worded defence of internet privacy, imagining themselves, perhaps, to be daring and outspoken critics of the powers that be. There is a cluster of people, a growing cluster, who have elevated internet privacy above all other rights, who drum out a now received notion: that liberty trumps safety, that the spooks are bad for our liberty. (I wonder if this is a strange mirror of how social media has turned us all into public figures, who post and share and comment, demanding to be looked at. With that mindset, why wouldn’t MI5 want to look at you too? The truth — that they don’t — might be a little hard to accept.)
It’s far harder these days actually to argue for tougher security or surveillance measures — and when you do (and I have) people in polite society consider you some kind of illiberal naïf, part of the system. It’s far easier to argue for more civil liberties when you do not, unlike the spies, carry the heavy burden of trying to keep people from getting blown up on the London Underground. I accept that there is a good reason for this consensus (and the reason our brave journalists are really not that brave at all) which is that there is a trust gap, a generalised agreement that the spooks are doing too much, and haven’t been as open and honest as we’d expect. In reality, government agencies may not be doing as much as we think. The independent UK Interception Commissioner reported recently to Parliament that ‘The interception agencies do not engage in indiscriminate random mass intrusion by misusing their powers. It would be comprehensively unlawful if they did.’ The problem is that it’s hard to know for sure because our intelligence agencies are caught in an almost impossible tangle: we rarely see the work they do, and nor should we. They are like a good football referee. A positive outcome is that nothing happens, and we don’t even realise they are there.fn1 As a result, though, they don’t ever get the credit they deserve for the work they do — and any necessary infringements on our liberties appear, naturally enough, unnecessary, since we don’t see what we gain in return.
Security is one of those public goods that seem unnecessary when you have it. We don’t think about it, except in the momentary flashes when it’s gone. Like in London when rioters are on the street (and I recall how my civil liberties-supporting friends, trapped in their homes, were demanding the police monitor social media more actively to get on top of the mob), or in Paris when fanatics are murdering innocent journalists. I’m of the view — maybe it’s an old-fashioned one, but I am now on what Churchill described as the conservative side of thirty — that security, that law and order, is the basis on which other liberties are able to be realised. That’s why the state’s primary responsibility is to provide public safety and security, since it is from this that all other liberties flow. It’s also why, for all the benefits of online privacy, it’s not an absolute right. Under Article 8 of the European Convention on Human Rights, the British citizen has ‘a right to respect for his private and family life, his home and his correspondence’. But then there is the vital clause: ‘in accordance with law’ and ‘necessary in a democratic society’. In the US, the right to anonymous political campaigning was established in a 1995 Supreme Court case, and in 1999, that ‘people are permitted to interact pseudonymously and anonymously with each other’ and again that caveat: ‘so long as those acts are not in violation of the law’ (my italics).
Let me sum up what is happening, and why I think it is so tragically dangerous. We demand perfect security, but thanks to the Snowden Effect, that’s going to be harder to achieve, for the reasons set out above: a consensus forming against mass surveillance; the fact the bad guys will find it increasingly easy to stay hidden, and the shift in terrorist activity that requires little planning, preparation or know-how. Immediately after the Snowden revelations, many within the intelligence community were complaining that terrorists would start changing their behaviour accordingly — but I think the real risk is the longer term consequences of more widely available encryption and uncensorable networks. That’s going to make their jobs harder. And yet simultaneously, we have an impression that the security services can see everything, and so should stop everything, which is impossible. The Snowden revelations have created a false impression that the intelligence agencies are monitoring every single thing we do online, our every click, swipe and movement. And the resulting opinion shift against internet surveillance limits the space the intelligence agencies can operate within. And because of the nature of online data — the fact there’s so much of it out there — there will always be some clue, some digital breadcrumb, that’s missed. More data doesn’t always mean more insight: it can also increase ‘noise’, making the ‘signal’ harder to pick out.fn2When they don’t succeed (and they can’t all the time) we’ll consider them useless. And when they do succeed, we don’t see or hear of it. And so we drift along: heavy-handed and veiled infringements resulting in public outcry, a loss of competence and confidence, fewer powers, a proliferation in tools to cloak and obscure activity online, and society becoming less safe. The result will be an intelligence agency that is seen as both omnipresent and incompetent, one that lacks broad public support and can’t do its job. This is the precise opposite of what we want.
Who Wins?
The question of privacy online is not a case of Orwell versus the terrorists. It’s far more technical, more nuanced, more dull than that. (These things usually are.) But if it continues in the same vein, with the same arguments repeated, and the same battles waged, it will remain in stasis, stuck, unless something changes.
In order to move forward, our intelligence and counter-terrorism work needs to change what it does quite dramatically. We desperately need a strong and publicly supported intelligence architecture to help keep us safe: from cyber espionage, terrorism, nuclear proliferation and dictatorial regimes that aren’t limited by democratic controls. I don’t want a denuded intelligence agency. But in a post-Snowden world, the intelligence agencies need to earn respect and trust rather than assume it; they must respond to the challenges thrown up by new and ever-changing technology to stay both effective and popular. Here are three big ideas for how they can do it.
First, we need more James Bonds and fewer Edward Snowdens — a return to more ‘old-fashioned’ intelligence work. Yes, the stuff of the movies. Because of the explosive growth of online data, much modern intelligence work is now based on ‘big data’ traffic or network level investigation — the sort of data collection and pattern spotting revealed by Snowden. As worries about internet privacy continue to grow, and as it gets easier to evade this type of surveillance via encryption, such methods will prove both less popular and less effective. But I don’t want a society in which there are places terrorists or organised criminals can communicate utterly and inexorably beyond the reach of legally constituted intelligence agencies. I don’t want a single computer they can’t track, a code they can’t break, an email account they can’t access — I just want to make sure these powers are used in a very limited way, based on legal authority, and driven by clear principles we can all understand. So they should ditch some of the bulk data collection, dragnet programmes like Tempora and Prism, in favour of more targeted and ‘human’ intelligence in future. This doesn’t mean defanging our intelligence agencies, rather providing the authorities with more powers to identify and monitor individuals. And that will require greater investment in new people, new skills, new capabilities: for example, more power and personnel to hack into targets’ computers or phones, or to place malware or tracking tools on their hardware; more digital spies that specialise in undercover work online.
Second, we need to transform how we oversee spy work. Spying is by definition secretive; but we rightly want to know these powers to curtail liberties are used proportionately, and when strict, tightly defined and legal requirements are met. Intelligence work in general is predicated not only on the public’s consent and understanding, but also on the active partnership and participation of people and communities.11Therefore, because some degree of secrecy will always be necessary, it’s important that people have confidence in whatever system oversees it all. As it stands, though, the oversight and scrutiny systems are typically staffed by people drawn from the same establishment they are supposed to oversee. The main oversight structure at the moment is the Intelligence and Security Committee (ISC). I’m not denigrating their work or the individuals on the committee — I’m quite certain every member is decent, hard-working and upstanding. But they are hardly a reflection of society writ large. Judge for yourself:
% on the ISC% general publicKnights220.000018Women2251Ethnic Minority013Under 40044
The set-up is so distant from and unfamiliar to most ordinary people — us, the people subjected to surveillance — and so close and familiar to the people who are part of the system itself. (The chair of the committee, Sir Malcolm Rifkin, is a former Defence Secretary and Foreign Secretary.) This risks creating a very narrow perspective on what’s reasonable for intelligence agencies to do. At the heart of the legal infrastructure governing oversight — especially the current law, the Regulation of Investigatory Powers Act — are three animating principles: proportionality, necessity and legitimate aim. The principles of ‘necessity’ and ‘legitimate aim’ are fairly easily defined within an operational context, but proportionality is not because it is made by balancing the seriousness of the intrusion into the privacy of the subject of the investigation against the need of the activity in investigative terms.12 In the context whereby privacy is less clearly understood, different people, with different backgrounds, life experiences and beliefs will quite legitimately take different positions on whether some acts of intrusive surveillance are proportionate. We need therefore to broaden the backgrounds and experiences of those who are able to contribute to the oversight of whether a judgement about a given interference with privacy is proportionate or not; and broadening it out will, I think, also engender greater trust in the system.
I’m not in favour of seeking to make every single institution a cross-section of society, aside from in a small number of significant areas. But we can do better than this. Here’s a suggestion: bring in ordinary people. Create a ‘surveillance jury’ of randomly selected members of the public who would sit alongside, or even on, the ISC to produce post hoc advice on a small number of selected cases of intrusive surveillance, randomly selected for review. It should be supported by other oversight bodies, and a small technical secretariat of experts, to assess whether, in each case, the interference with privacy was proportionate.fn1 We should go further still: ensuring some degree of involvement of civic society in intelligence oversight. Independent, responsible members of civic society can better understand the practical pressures and daily trade-offs of intelligence work. Embedding civil liberty campaigners in police command centres during the policing of demonstrations has worked well.13 Subject to agreements on what can and cannot be published, this has allowed the presence of an informed, independent commentary on police action. Let’s do the same here.
Finally, security services — in fact all of us — need to readdress some priorities: relying less on censorship and the removal of information and more on preventing serious and violent harm to people. Stopping the flow of information — however much we dislike it — will be harder and more resource intensive in future. That means taking a more strategic approach. Although all governments promise to rid the net of child pornography, I’m afraid it’s not possible, however much we wish it. In future, we will need to focus our resources on the most serious offenders here — those who seek to physically abuse children, those who make and distribute illegal images, rather than trying to pick off everyone. (That might require new alliances too: it is, after all, Anonymous hacktivists that are one of the most effective and active groups at trying to remove illegal pornography from the internet — we should view them as allies rather than enemies, as we need all the allies we can get.) The same goes for how we fight terrorist propaganda online. Trying to remove ISIL propaganda from the internet is a fool’s errand, and it’s plainly not working. ISIL know they are going to be censored. As Ali Fisher told me, it even gives them energy and re-invigorates their efforts. This is why they move quickly, always changing platforms and user names, distributing content quickly. It’s hard enough already, and as more social network sites emerge that are like Twister, or Maidsafe, the job of trying to keep on top of this will become close to fruitless. We should stop trying to remove terrorist propaganda and focus on preventing actual murderous attacks. After all, there is no evidence that watching online propaganda turns anyone into a terrorist. Perhaps it does the opposite. Coming into contact with radical and controversial ideas might allow people to sharpen their own sense of right and wrong. Democracies are noisy, chaotic places to live, where good and bad ideas clash and you have to allow people to reach their own conclusions about what they think. I’ve seen a lot of terrorist material, and all it’s done for me is to persuade me these people are narcissistic, murderous, thuggish, irreligious brutes. We should trust people to reach the same conclusion, and I think on the whole they will. That, in turn, demands more of us: we all have a duty and a responsibility to get involved in the battle for ideas. It used to be waged from on high. Today it’s more like hand-to-hand combat, played out across millions of social media accounts, twenty-four hours a day. The same tools used by extremists are free to the rest of us too. That gives all of us both the opportunity and the responsibility to defend what it is we believe. Any of us can now argue with an ISIL operative currently in Syria, via Twitter, all from our own home. The battle for ideas online can’t be won, or even fought, by governments. It’s down to us.
The traditional model of counter-terrorism and intelligence is one of secrets and whispers. It’s based on top-down control: stemming the flow of information, disrupting and restricting the way terrorists and serious criminals communicate and operate. But the bad guys — like all of us — now live online, and the internet runs to a very different logic: it allows for the production and distribution of information, without limits or control, open to all and hard to repress. On balance, this is a positive thing for individual freedom, opportunity and equality. It will always be used for ill purpose too, which is why we will increasingly depend on strong intelligence services that people can trust. With the changes that are coming, their work will get harder. In the end we have to accept that perfect safety is illusory, an illusion that will be increasingly exposed. That means society will be a little more open, a little more liberal, a little more scary, and perhaps a little more dangerous. But I think any democracy worthy of the name can live with that, because it’s the price of freedom.
